ISM-1980 policy ASD Information Security Manual (ISM)

Avoid Using Credential Hints in Systems

Systems should not use hints to reveal or guess passwords.

Preventative NC OS P ASD Information Security ManualGuidelines for system hardening credentials

record_voice_over

Plain language

You should avoid using hints that help people remember passwords because they can make it easier for bad actors to guess them. If someone figures out your password, they could access your organisation's sensitive information and cause harm, such as stealing data or disrupting operations.

01 - Overview

Framework

ASD Information Security Manual (ISM)

Control effect

Preventative

Classifications

NC, OS, P, S, TS

ISM last updated

Nov 2024

Control Stack last updated

19 Mar 2026

E8 maturity levels

N/A

Guideline

Guidelines for system hardening

Section

Authentication hardening

Topic

Protecting Credentials

Official control statement

Credential hint functionality is not used for systems.

policy ASD Information Security Manual (ISM) ISM-1980

priority_high

Why it matters

Credential hints increase the likelihood of unauthorised access by simplifying password guessing, risking data breaches and financial loss.

settings

Operational notes

Regularly review authentication systems to ensure they're free from hint mechanisms that could aid attackers in guessing credentials.

02 - Implement

build

Implementation tips

System owners should review all login processes to identify where credential hints are used. List any instances where hints might display or send a clue about passwords to users. This helps ensure that no password hints are made available.
IT teams should modify software and systems to disable password hint features. Check each system’s settings or configurations and switch off any options that provide hints. This will ensure that no hints are accidentally shown to users.
Managers should educate staff on the importance of using strong, unique passwords without relying on hints. Organise training sessions explaining the risks of weak passwords and the benefit of using a password manager instead.
Human Resources should update any employee handbooks or guidelines to include policies against using credential hints. Clearly document why hints aren’t used and describe the procedures to follow if help with credentials is needed.
System administrators should implement measures to support users in resetting forgotten passwords easily and securely without needing hints. Ensure there is a clear password reset process, such as using email verification or mobile authentication, to confirm the user's identity before allowing a password change.

03 - Audit

fact_check

Audit / evidence tips

AskSystem configuration logs: Request documentation or screenshots showing the system settings related to password management GoodShows clear evidence that credential hints are disabled across all systems
AskTraining records: Request materials and attendance logs from staff training sessions about password security GoodIncludes dated training materials and a list of attendees
AskPolicy updates: Request the latest employee handbook or IT policy documents GoodShows these policies are up to date and communicated to all staff
AskEvidence of a password reset process: Request the documentation or walkthrough of the current password reset process for users GoodIs a detailed description showing how users can reset passwords securely
AskA demonstration: Request a live or recorded demonstration of the login and password reset process GoodShows the process step-by-step with explanations of each phase

04 - Mappings

link

Cross-framework mappings

How ISM-1980 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.

link_off

No cross-framework mappings recorded yet.